[Previous entry: "Speaking engagements tomorrow and in April"] [Next entry: "Oracle is advising customers to patch the last CPU very quickly"]
David Litchfield has released a workaround for an unpatched Oracle security bug
January 25th, 2006 by Pete
Post to del.icio.us
Post to Furl
At 6.25pm today David Litchfield has posted a workaround for an un-patched critical flaw in the Oracle PL/SQL gateway. This is a component in iAS, OAS and the Oracle HTTP server. The bug allows an attacker to bypass the PLSQLExclusion list that stops access to critical packages and procedures. The post to the bugtraq mailing list is titled "Workaround for unpatched Oracle PLSQL Gateway flaw" and it gives details of mod_rewrite rules that can be added to the httpd.conf file. mod_rewrite is available on the platforms. The rules check for a trailing right hand bracket which is a signature of the attack.
I was aware of this issue as I had seen the NISCC post previously. Anyone who has the Oracle HTTP server enabled needs to apply this workaound immediatley.
